Ticketing
security guide

PCI Compliance and Payment Handling

  • Compliant with PCI-DSS as both a Merchant and a Service Provider.
  • Registered with both Visa and MasterCard as a PCI-compliant Service Provider.
  • Annually audited by a Qualified Security Assessor (BDO USA, LLP).
  • Passes internal and external application and network penetration testing performed by SDG Corporation.
  • Scanned daily by an Approved Scanning Vendor (ASV), Tenable.
  • PCI Attestation of Compliance (AOC) and Quarterly Scan Attestation of Compliance are both available upon request.
  • Credit Card data is never stored by Leap Event Technology.
  • Where possible, Leap Event Technology utilises credit card tokenisation for minimising risk related to cardholder data.
  • Leap Event Technology provides event organisers with the ability to collect in-person payments securely using End to End Encryption (E2EE) payment terminals.

Privacy

  • We have a full-time staff focused on privacy and security issues.
  • We participate in and comply with the EU.U.S. Data Privacy Framework Principles (and the UK Extension).
  • Leap Event Technology processes user personal data in accordance with GDPR’s data protection principles.
  • You can find our privacy policy at https://leapevent.tech/legal/privacy-policy/

Hosting Environment

  • Leap Event Technology uses carrier grade data centres that meet the following certifications:
    • PCI-DSS Level 1 Service Provider 
    • SOC 1 Type II and SOC 2 Type II
    • ISO 27001

Software Development

  • All Leap Event Technology software engineers receive software security training that covers security best practices including covering OWASP Top Ten as well as Mobile Security best practices.
  • Leap Event Technology uses static code analysis tools to analyze code for security vulnerabilities.
  • All Leap Event Technology source code is developed in accordance with a standard SDLC process that includes
    • A software and security code review before being shipped to production.
    • Running through a continuous integration test suite.
    • Manual QA testing.

Encryption

  • All web traffic is encrypted by TLS 1.2 or greater.
  • Leap Event Technology follows NIST recommendations for hashing, symmetric and asymmetric encryption.

Authentication

  • Leap Event Technology offers multi-factor authentication as an option for all Leap Event Technology seller accounts.
  • All API endpoints require authentication in order to be accessed, scoped to existing permission sets from the account the API keys are bound.

Authorisation

  • Leap Event Technology allows fine-grained permission control for seller account users, to adhere to least privilege principles.

Organisation

  • All staff regularly receives security training by trained professionals and must pass security quizzes testing their security awareness.
  • All staff regularly receive simulated phishing tests.
  • All staff must acknowledge security and acceptable use policies and procedures.
  • All staff are subject to detailed background checks.

Security Vulnerability Responsible Disclosure